Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Cloud Programming Apple Idle

iCloud Allegedly Locked Out User Whose Last Name is a Boolean Value (engadget.com) 208

"iCloud has had the occasional service issue, but its latest problem appears to be highly... specific," writes Engadget: Actor and author Rachel True claims iCloud has effectively locked her out of her account due to the way her last name was written. Reportedly, her Mac thought lower-case "true" was a Boolean (true or false) flag, leading the iCloud software on the computer to seize up. The problem has persisted for over six months, she said.

True said she'd spent hours talking to customer service, and that Apple hadn't stopped charging her for service. She could switch to the free tier, although she'd also lose most of her online storage if she did.

True has apparently resorted to imploring desperately in tweets to both @Apple and @AppleSupport. "Now that I a layman have explained problem to you a giant computer company, could u fix...?"

"A thing I've learned about life so far is I hate being the test case."

"When I get a dog I'm naming it Boolean Bobby Drop Tables True"
This discussion has been archived. No new comments can be posted.

iCloud Allegedly Locked Out User Whose Last Name is a Boolean Value

Comments Filter:
  • xkcd (Score:5, Insightful)

    by anonieuweling ( 536832 ) on Sunday March 07, 2021 @11:35AM (#61133078)
    • by shanen ( 462549 )

      And parent should be modded funnier than insightful...

  • by SuperKendall ( 25149 ) on Sunday March 07, 2021 @11:46AM (#61133108)

    How many among us can be 100% sure that if every string field we sent up to the server in either a form POST or GET parameters were set to the value "true", we'd not see the same issue...

    The second link especially shows the truth of what is going on, with a "Type error: cannot set value 'true' to property 'lastName'"!!

    So that seems like something great to try out in unit, or at least UAT testing...

    This is really where the type-nonchalance of JSON comes to bite you on the ass as the entire chain from entry to extraction should be able to ensure type. Or maybe just anything that reads values from JSON and is expecting a string, should treat any numbers/bools found as strings even if the JSON parser didn't think of them that way. Or maybe some kind of schema overlay where you could tell a parse explicitly what you expected type-wise out of dictionary keys and then it would always do that conversion.

    • by hey! ( 33014 )

      Yes, something is rotten here with user input handling.

    • by reanjr ( 588767 ) on Sunday March 07, 2021 @11:51AM (#61133118) Homepage

      This has nothing to do with JSON. JSON makes a very clear distinction between boolean true and the string "true".

      This is gross incompetence on Apple's part. It really makes you wonder what kind of security holes they've got unpatched due to accepting user input without validation.

      • This has nothing to do with JSON. JSON makes a very clear distinction between boolean true and the string "true".

        Yep. The fun only starts to happen after you pass it through json_decode().

      • by AmiMoJo ( 196126 )

        iCloud seems to have a history of poor security. All those hacked celebrity accounts were due to not limiting password attempts.

      • Uh, no. It would be like finding that Google or Amazon is hosting a service for someone maliciously collecting user information.

        Technically that is not correct, because true and true enclosed by quotes, are both strings that a JSON parser has to interpret in different ways... all of JSON is a string that you are parsing, so "value" : true and value : "true" will both parse just fine, even though one results in a type you do not want...

        I have personally seen servers suddenly forget to quote some strings tha

    • How many among us can be 100% sure that if every string field we sent up to the server in either a form POST or GET parameters were set to the value "true", we'd not see the same issue...

      The majority of servers are running a language designed by clowns, that's true, but they usually have operators like '===' and '!==' for comparing strings without converting things like "true" into a double precision 1.0 for the comparison.

      • by Sique ( 173459 )
        It has nothing to do with the choice of computer languages. The problem is that both the input and the computer language are based on the same set of terminal symbols. That's why any computer language has methods to differentiate strings that are just strings and strings that form symbols within the language. Sanitizing input is a necessity independent of the language you are using. It means that you reverse the process a parser is working through when it is reading a program. You have to insert additional
        • No, it absolutely has to do with computer languages. Specifically, it's the difference between weakly and strongly typed languages.

          I would bet that, at some point, most issues that someone has with a name like "Null" or "False" means that there was a bug in some JavaScript code somewhere (oops, not enough equal signs), because it's all too easy to accidentally convert strings to Booleans or numbers or nulls. This an inherent flaw of the language (in the form of a convenient feature), in the same way that

    • by _xeno_ ( 155264 ) on Sunday March 07, 2021 @12:21PM (#61133196) Homepage Journal

      That doesn't sound like JSON, that sounds like a poorly written HTTP form parser. JSON makes a clear distinction between booleans (true, false) and strings of those booleans ("true", "false").

      HTTP form parameters are just strings, which means that they have no inherent type, which means that trying to be "too clever" with parsing them can lead to things like seeing lastName=True and deciding that True means boolean. (A similar thing happens with numbers: does foo=0 mean the number 0 or does it mean the string "0"? If all you have is the HTTP parameters, who knows?)

      The HTTP form parser should just parse to string key and string value pairs (well, string array values - keys can and will appear multiple times and you need to be prepared to handle this) and then offer convenience methods to convert to proper types when the type is known. Trying to pre-convert types leads to this bug.

    • Why in the world are they basing any 'type' on user input? Smells of a stack exchange copy paste programmer.
    • How many among us can be 100% sure that if every string field we sent up to the server in either a form POST or GET parameters were set to the value "true", we'd not see the same issue...

      I can. Why? Because I use prepared statements for all database interactions. Anyone using inline SQL even one time needs to be pulled from their job immediately and retrained. Anyone using it twice needs to be reprimanded. Anyone using it three times needs to be demoted (and perhaps put on unpaid leave). Anyone using it four times needs to be fired.

      This has been a solved problem for decades, and any project subject to SQL injection just demonstrates gross incompetence.

    • Comment removed based on user account deletion
  • With a carefully worded name.
    Then you'll get attention.

  • by 93 Escort Wagon ( 326346 ) on Sunday March 07, 2021 @11:54AM (#61133126)

    My last name is /0

    • That's fine, but probably lucky that it's not \0. (or is that what you meant? Or is there a language I'm not familiar with that treats forward slashes as an escape sequence?)

      • by sphealey ( 2855 )

        It has been a billion years since I worked with any IBM JCL but IIRC a forward slash was a control signal in that bizarre language.

        • No. // was the introducer for a JCL control card/statement. /* signalled end-of-stream. /0 was nothing at all (that is, was either part of a stream or, if a statement was expected then it was an error).

      • Nope, was just thinking "divide by zero". But if you start analyzing it, it doesn't work.

        Maybe I could have done something with a ternary operator...

    • I have a normal last name, but my iTunes account was deleted right after I uploaded my Spandau Ballet tracks.

    • No problem for my FORTRAN code, it hands 2H\0 well. Hollerith field will one day rule them all.
  • Bind variables (Score:5, Informative)

    by sphealey ( 2855 ) on Sunday March 07, 2021 @11:54AM (#61133128)

    There are also a number of people in the US named Null, as in former St. Louis Rams quarterback Keith Null. One should never be creating code that directly compares information received from an external source to a string - the external information should always be ingested into a variable of suitable type and then preprocessed before comparison to another variable.

    • by gweihir ( 88907 )

      Indeed. This is the very embodiment of what makes injection-attacks possible.

      Of course, the injection attack refuses to die, so the utterly incompetent coders stay active and "contribute" in a lot of places.

  • And I thought I had problems ... I have it easy!

    Sincerely,

    Bobby print_r($output,true); die();

  • Sorry, but "racheltrue@icloud.com" has no delimiters that might mess with a concatenated query, and definitely would not affect properly sanitized, delimited, quoted string parameters for a SQL query.

    I would have to see the code to understand how this could mess up validation for her login. Using an IndexOf or Contains for "true" makes no sense, in any context, either. I can't fathom even a bad coding scenario where that might happen.

    On the other hand, if it had to be coded in one of Apple's non-industry st

    • by dgatwood ( 11270 )

      Sorry, but "racheltrue@icloud.com" has no delimiters that might mess with a concatenated query, and definitely would not affect properly sanitized, delimited, quoted string parameters for a SQL query.

      I would have to see the code to understand how this could mess up validation for her login. Using an IndexOf or Contains for "true" makes no sense, in any context, either. I can't fathom even a bad coding scenario where that might happen.

      On the other hand, if it had to be coded in one of Apple's non-industry standard language de jours, I suppose there could be some room for massive fail.

      Bets on whether there's still WebObjects code in there somewhere?

      • Well, looking at the error now, I guess it was specifically an issue with her last name, and probably something generically taking the serialized data and changing "True" to true without consideration for the data type.

        Ugh. ...and yes, for the record, I absolutely hate fad languages and this ADD approach to computer science. There is something to be said for sticking with time-tested languages and tools, with mature, robust libraries, rather than turning to the next "shiny thing" either to be cool and hip,

        • Ugh. ...and yes, for the record, I absolutely hate fad languages and this ADD approach to computer science. There is something to be said for sticking with time-tested languages and tools, with mature, robust libraries, rather than turning to the next "shiny thing" either to be cool and hip, or simply to be proprietary (as usually the case with Apple) for the sake of "think different" or maybe more correctly "lock out other platforms".

          Apple used straight C as its primary language for many years, until adopting Objective C (a strict superset of C) as its system language for OSX and later iOS. Objective C was created in 1984 and was Apple's most-used language until around 2018--does that count as time tested? gcc has supported Objective C for almost that entire period.

          Here are some popular languages that did not exist in 1984. Python, Perl, Java, and ... C++.

          Apple released Swift, an open source language, under the Apache license, ~6 years

    • Sorry, but "racheltrue@icloud.com" has no delimiters that might mess with a concatenated query, and definitely would not affect properly sanitized, delimited, quoted string parameters for a SQL query.

      It's not an SQL issue. just look at the error: https://twitter.com/RachelTrue... [twitter.com]

  • The fact is, if her name was "true" then everything would work.

    Every good developer knows that with speculative execution positive test branches are faster, so developers are testing for true, not false.

    And anyway, nobody actually looks at the name; they're looking at the GUID that represents the name.

    Maybe she forgot to send in her trade-in, like the last guy in the other the bullshit Apple article.

  • Nobody halfway competent would write software with this issue. Looks like they are now having fully incompetent "software developers" wrote important stuff.

  • by Gravis Zero ( 934156 ) on Sunday March 07, 2021 @12:48PM (#61133288)

    If you look at the image of the actual error [twitter.com] you will realize this is a client problem. What has happened is that when the program read the iCloud information it is reading variable values from a text source (e.g. config file) and it's then assigning the values to variables. When it parses the text "True" it converts it into a boolean value. However, the destination variable is a string. The result is the program throws an error saying there is a type mismatch.

    This is a client-side bug in the software, likely a config file parsing library. The program initially accepted the value from text entry and stored it in some config file. When the config file is read back then it erroneously interprets the value as being boolean.

    • by ledow ( 319597 )

      The program is trusting user-controlled input without adequate sanitisation.

      This is a trivial class of problem that SHOULD NOT HAPPEN, but in this instance it's the most minor of knock-on effects, locking a user out of their account.

      That this entire class of problem exists is far more serious, because what else is that program interpreting literally rather than sanitising first from that configuration file, what permissions does it run with, and what could you make it evaluate other than just True?

      Simply sh

      • The program is trusting user-controlled input without adequate sanitisation.

        There is nothing wrong with the value "True" which is why it accepted it. The problem is with how the value is interpreted after it is was read from a stored copy.

        This is a trivial class of problem that SHOULD NOT HAPPEN

        This much is true. It's just a guess but it seems like it's reading in a quoted value, stripping the quotes, and then deciding the type of value it should be. Then again, if it wasn't a quoted value to start with then that is a serious flaw.

    • Why would a UI be trying to parse a last name into anything but a string ?
      • The library parsing the config file has no idea what the values are supposed to be, so it detects the type of values. In this case it does so incorrectly because it thinks "True" is a boolean value. When the program tries to assign this value to the variable, it throws an unhandled exception because it was expecting a string.

  • "Allegedly" (Score:5, Insightful)

    by LenKagetsu ( 6196102 ) on Sunday March 07, 2021 @01:03PM (#61133328)

    So when it's an apple bug, it's "allegedly"?

  • And just to think I was irritated this morning that some random website wouldn't accept my 64-letter randomly generated password out of LastPass and would only accept a length of 16.
  • I swear.

  • When I get a dog I'm naming it Boolean Bobby Drop Tables True

    Follow Steve Wright's lead [dogquotations.com] and name it "Stay":

    I bought a dog the other day. I named him Stay. It's fun to call him. "Come here, Stay! Come here, Stay!" He went insane. Now he just ignores me and keeps typing. He's an East German Shepherd.

    Then take it for a walk -- one:

    I took my dog for a walk, all the way from New York to Florida. I said to him "There, now you're done."

  • Im calling bullshit, theres a big difference between a string with True and a boolean literal of true. SQL isnt that dumb.
  • Instead of making a big deal of this and troubling Apple Corp about it, she should simply legally change her last name to ".not.false".
  • people with names like root, admin, sys, superuser, administrator, etc?
    people with names the same as the vendor?

    May blocked on cloud systems.

No spitting on the Bus! Thank you, The Mgt.

Working...